Module: PWN::SAST::BannedFunctionCallsC

Defined in:
lib/pwn/sast/banned_function_calls_c.rb

Overview

SAST Module used to identify banned function calls in C & C++ code per: msdn.microsoft.com/en-us/library/bb288454.aspx

Constant Summary collapse

@@logger = 
PWN::Plugins::PWNLogger.create

Class Method Summary collapse

Class Method Details

.authorsObject

Author(s)

0day Inc. <[email protected]>



252
253
254
255
256
 
# File 'lib/pwn/sast/banned_function_calls_c.rb', line 252

public_class_method def self.authors
  "AUTHOR(S):
    0day Inc. <[email protected]>
  "
end

.helpObject

Display Usage for this Module



260
261
262
263
264
265
266
267
268
269
 
# File 'lib/pwn/sast/banned_function_calls_c.rb', line 260

public_class_method def self.help
  puts "USAGE:
    sast_arr = #{self}.scan(
      :dir_path => 'optional path to dir defaults to .',
      :git_repo_root_uri => 'optional http uri of git repo scanned'
    )

    #{self}.authors
  "
end

.scan(opts = {}) ⇒ Object

Supported Method Parameters

PWN::SAST::BannedFunctionCallsC.scan(

:dir_path => 'optional path to dir defaults to .'
:git_repo_root_uri => 'optional http uri of git repo scanned'

)



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
 
# File 'lib/pwn/sast/banned_function_calls_c.rb', line 19

public_class_method def self.scan(opts = {})
  dir_path = opts[:dir_path]
  git_repo_root_uri = opts[:git_repo_root_uri].to_s.scrub
  result_arr = []
  logger_results = ''

  PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
    if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && (File.extname(entry) == '.c' || File.extname(entry) == '.cpp' || File.extname(entry) == '.c++' || File.extname(entry) == '.cxx' || File.extname(entry) == '.h' || File.extname(entry) == '.hpp' || File.extname(entry) == '.h++' || File.extname(entry) == '.hh' || File.extname(entry) == '.hxx' || File.extname(entry) == '.ii' || File.extname(entry) == '.ixx' || File.extname(entry) == '.ipp' || File.extname(entry) == '.inl' || File.extname(entry) == '.txx' || File.extname(entry) == '.tpp' || File.extname(entry) == '.tpl') && entry !~ /test/i
      line_no_and_contents_arr = []
      entry_beautified = false

      if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
        js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
        entry = "#{entry}.JS-BEAUTIFIED"
        entry_beautified = true
      end

      test_case_filter = "
        grep -Fn \
        -e 'strcpy' \
        -e 'strcpyA' \
        -e 'strcpyW' \
        -e 'wcscpy' \
        -e '_tcscpy' \
        -e '_mbscpy' \
        -e 'StrCpy' \
        -e 'StrCpyA' \
        -e 'StrCpyW' \
        -e 'lstrcpy' \
        -e 'lstrcpyA' \
        -e 'lstrcpyW' \
        -e '_tccpy' \
        -e '_mbccpy' \
        -e '_ftcscpy' \
        -e 'strncpy' \
        -e 'wcsncpy' \
        -e '_tcsncpy' \
        -e '_mbsncpy' \
        -e '_mbsnbcpy' \
        -e 'StrCpyN' \
        -e 'StrCpyNA' \
        -e 'StrCpyNW' \
        -e 'StrNCpy' \
        -e 'strcpynA' \
        -e 'StrNCpyA' \
        -e 'StrNCpyW' \
        -e 'lstrcpyn' \
        -e 'lstrcpynA' \
        -e 'lstrcpynW' \
        -e 'strcat' \
        -e 'strcatA' \
        -e 'strcatW' \
        -e 'wcscat' \
        -e '_tcscat' \
        -e '_mbscat' \
        -e 'StrCat' \
        -e 'StrCatA' \
        -e 'StrCatW' \
        -e 'lstrcat' \
        -e 'lstrcatA' \
        -e 'lstrcatW' \
        -e 'StrCatBuff' \
        -e 'StrCatBuffA' \
        -e 'StrCatBuffW' \
        -e 'StrCatChainW' \
        -e '_tccat' \
        -e '_mbccat' \
        -e '_ftcscat' \
        -e 'strncat' \
        -e 'wcsncat' \
        -e '_tcsncat' \
        -e '_mbsncat' \
        -e '_mbsnbcat' \
        -e 'StrCatN' \
        -e 'StrCatNA' \
        -e 'StrCatNW' \
        -e 'StrNCat' \
        -e 'StrNCatA' \
        -e 'StrNCatW' \
        -e 'lstrncat' \
        -e 'lstrcatnA' \
        -e 'lstrcatnW' \
        -e 'lstrcatn' \
        -e 'sprintfW' \
        -e 'sprintfA' \
        -e 'wsprintf' \
        -e 'wsprintfW' \
        -e 'wsprintfA' \
        -e 'sprintf' \
        -e 'swprintf' \
        -e '_stprintf' \
        -e 'wvsprintf' \
        -e 'wvsprintfA' \
        -e 'wvsprintfW' \
        -e 'vsprintf' \
        -e '_vstprintf' \
        -e 'vswprintf' \
        -e 'wvsprintf' \
        -e 'wvsprintfA' \
        -e 'wvsprintfW' \
        -e 'vsprintf' \
        -e '_vstprintf' \
        -e 'vswprintf' \
        -e 'strncpy' \
        -e 'wcsncpy' \
        -e '_tcsncpy' \
        -e '_mbsncpy' \
        -e '_mbsnbcpy' \
        -e 'StrCpyN' \
        -e 'StrCpyNA' \
        -e 'StrCpyNW' \
        -e 'StrNCpy' \
        -e 'strcpynA' \
        -e 'StrNCpyA' \
        -e 'StrNCpyW' \
        -e 'lstrcpyn' \
        -e 'lstrcpynA' \
        -e 'lstrcpynW' \
        -e '_fstrncpy' \
        -e 'strncat' \
        -e 'wcsncat' \
        -e '_tcsncat' \
        -e '_mbsncat' \
        -e '_mbsnbcat' \
        -e 'StrCatN' \
        -e 'StrCatNA' \
        -e 'StrCatNW' \
        -e 'StrNCat' \
        -e 'StrNCatA' \
        -e 'StrNCatW' \
        -e 'lstrncat' \
        -e 'lstrcatnA' \
        -e 'lstrcatnW' \
        -e 'lstrcatn' \
        -e '_fstrncat' \
        -e 'gets' \
        -e '_getts' \
        -e '_gettws' \
        -e 'IsBadWritePtr' \
        -e 'IsBadHugeWritePtr' \
        -e 'IsBadReadPtr' \
        -e 'IsBadHugeReadPtr' \
        -e 'IsBadCodePtr' \
        -e 'IsBadStringPtr' \
        -e 'memcpy' \
        -e 'RtlCopyMemory' \
        -e 'CopyMemory' \
        -e 'wmemcpy' #{entry}
      "

      str = `#{test_case_filter}`.to_s.scrub

      if str.to_s.empty?
        # If str length is >= 64 KB do not include results. (Due to Mongo Document Size Restrictions)
        logger_results = "#{logger_results}~" # Catching bugs is good :)
      else
        str = "1:Result larger than 64KB -> Size: #{str.to_s.length}.  Please click the \"Path\" link for more details." if str.to_s.length >= 64_000

        hash_line = {
          timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
          security_references: security_references,
          filename: { git_repo_root_uri: git_repo_root_uri, entry: entry },
          line_no_and_contents: '',
          raw_content: str,
          test_case_filter: test_case_filter
        }

        # COMMMENT: Must be a better way to implement this (regex is kinda funky)
        line_contents_split = str.split(/^(\d{1,}):|\n(\d{1,}):/)[1..-1]
        line_no_count = line_contents_split.length # This should always be an even number
        current_count = 0
        while line_no_count > current_count
          line_no = line_contents_split[current_count]
          contents = line_contents_split[current_count + 1]
          if Dir.exist?("#{dir_path}/.git") ||
             Dir.exist?('.git')

            repo_root = dir_path
            repo_root = '.' if Dir.exist?('.git')

            author = PWN::Plugins::Git.get_author(
              repo_root: repo_root,
              from_line: line_no,
              to_line: line_no,
              target_file: entry,
              entry_beautified: entry_beautified
            )
          else
            author = 'N/A'
          end
          hash_line[:line_no_and_contents] = line_no_and_contents_arr.push(
            line_no: line_no,
            contents: contents,
            author: author
          )

          current_count += 2
        end
        result_arr.push(hash_line)
        logger_results = "#{logger_results}x" # Seeing progress is good :)
      end
    end
  end
  logger_banner = "http://#{Socket.gethostname}:8808/doc_root/pwn-#{PWN::VERSION.to_s.scrub}/#{to_s.scrub.gsub('::', '/')}.html"
  if logger_results.empty?
    @@logger.info("#{logger_banner}: No files applicable to this test case.\n")
  else
    @@logger.info("#{logger_banner} => #{logger_results}complete.\n")
  end
  result_arr
rescue StandardError => e
  raise e
end

.security_referencesObject

Used primarily to map NIST 800-53 Revision 4 Security Controls web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH to PWN Exploit & Static Code Anti-Pattern Matching Modules to Determine the level of Testing Coverage w/ PWN.



238
239
240
241
242
243
244
245
246
247
248
 
# File 'lib/pwn/sast/banned_function_calls_c.rb', line 238

public_class_method def self.security_references
  {
    sast_module: self,
    section: 'INFORMATION INPUT VALIDATION',
    nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SI-10',
    cwe_id: '676',
    cwe_uri: 'https://cwe.mitre.org/data/definitions/676.html'
  }
rescue StandardError => e
  raise e
end